Contents of the CHK.DOC file

CHKMEM & CHKBOOT

The CHK programs, CHKBOOT and CHKMEM are part of a suite of programswhich I have developed as personal tools for the investigation ofviruses. For some reason (possibly laziness) I have become somethingof a specialist in Master Boot Record and Dos Boot Record infections.

Each carries its own documentation internally. To read, for CHKMEM simply TYPE the progran (e.g. TYPE CHKBOOT.COM), for CHKBOOT, invocationwithout a drive letter (e.g. CHKBOOT) will provide help.

With the current rise in number and prevalence of such infections - inparticular the destructive MICHELANGELO, I am releasing these programs,as FREEWARE to the general public so long as they are not changed in anyway, and in particular so long as the ASCII notices remain intact and aredisplayed.

Like any personal tool, I can make no guarentee as to the fitness forany use but they have proven effective for me. They are not 100% effectiveagainst any and all viruses but CHKMEM will find all of the MBR infectorsand quite a few of the file infectors that go resident in the "upper 640".MICHELANGELO in particular will return a total memory value that is 2klower than expected (most 640k machines should return A000 seg 640k 655,360bytes when clean) when resident as will STONED and most of its varients.

If DOS 4.x is in use, this return may be 1k lower - 9FC0 seg - and certainCOMPAQ and other machines with dedicated mouse buffers may do so also aswill most BIOS-beginning security program such as my DiskSecure program.Be aware that such a memory loss may be normal but any should be investigated to determine what the cause is. If you have a low value andare in doubt, one test would be to boot from a known, clean, write-protectedfloppy and see if the values are the same. Note that the lower two valueswill change depending on what TSRs are loaded but their sum should remainthe same.

The best use of CHKMEM is before a virus strikes to record "clean" values.This way and differences will be redily noticable.

CHKBOOT simply checks the boot record of floppy and fixed disks for adherance to certain rules. Note that STONED and MICHELANGELO will notbe detectable on fixed disks this way since they are MBR not DOS BootRecord infectors. CHKBOOT will detect these infections (and others) veryeffectively on floppies. Also please note that it will not detect certain viruses that "play by the rules" on floppy disks but I have seen very few of these. Again be aware that some security products maintenance disks(e.g. my DiskSecure again) may also violate these rules so if a disk isflagged as infected, be aware that there is a small chance that it maybe a valid disk. It is also possible that some disk formatting routinesmay legitemately violate my somewhat arbritrary rules. If so, I wouldlike to know about it.

Since some "stealth" viruses may return correct values to CHKBOOT, itis recommended that CHKMEM be run first unless the system is known tobe clean. Those "stealth" MBR infections that I have observed are detectablewith CHKMEM when resident.

Just to make things a bit more difficult for would-be virus-writers, therules these publicly-released versions use are slightly different thanthose in my personal toolkit but are designed to be just as effectiveat finding viruses.

Note: while these programs are designed to provide indication that a virus such as STONED or MICHELANGELO is present, they do nothing to remove such viruses, the proper treatment will depend on the virus encountered. Forprotection, please see my FREEWARE programs SafeMBR and NoFBoot.

RETURNS: While these programs were originally designed for manual use,errorlevel returns have been added for use in batch files (CHKBOOT should only be used this way on fixed disks) or from Network servers. Returns will be 0 for valid termination and 1 or 2 for suspect termination.